b0ec1c7d122a89d3a63908a592b62526f4fcf93672b57550ace10bdd0ac870fe

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f28d13c3ef806664ca602589226daa5.exe
Size

150KB
MD5

8f28d13c3ef806664ca602589226daa5
SHA1

6728f615477b8266ab952c75efd22c2cee3f6c0e
SHA256

b0ec1c7d122a89d3a63908a592b62526f4fcf93672b57550ace10bdd0ac870fe
SHA512

be5d4a2b32d93af5a791a8bb5dad555bdadd9c60a43bb69d45982182521a0053b80f8b4f6f18aae95758edf40a73b777eda3a18451587c3cd405ab2ad89119e0
SSDEEP

3072:79ELyQJ20T0hGgd5xD3Ls2kdMdV6LA4Rx6fBApS57i1ap/:79MJLTQD7sfdMdQA4R+Af1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4536	Pzygya.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	8f28d13c3ef806664ca602589226daa5.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	8f28d13c3ef806664ca602589226daa5.exe
File created	C:\Windows\Pzygya.exe	8f28d13c3ef806664ca602589226daa5.exe
File opened for modification	C:\Windows\Pzygya.exe	8f28d13c3ef806664ca602589226daa5.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Pzygya.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Pzygya.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main	Pzygya.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\International	Pzygya.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe
4536	Pzygya.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 4536	2556	8f28d13c3ef806664ca602589226daa5.exe	86
PID 2556 wrote to memory of 4536	2556	8f28d13c3ef806664ca602589226daa5.exe	86
PID 2556 wrote to memory of 4536	2556	8f28d13c3ef806664ca602589226daa5.exe	86

C:\Users\Admin\AppData\Local\Temp\8f28d13c3ef806664ca602589226daa5.exe
"C:\Users\Admin\AppData\Local\Temp\8f28d13c3ef806664ca602589226daa5.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\Pzygya.exe
  C:\Windows\Pzygya.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Pzygya.exe

Filesize
150KB

MD5
8f28d13c3ef806664ca602589226daa5

SHA1
6728f615477b8266ab952c75efd22c2cee3f6c0e

SHA256
b0ec1c7d122a89d3a63908a592b62526f4fcf93672b57550ace10bdd0ac870fe

SHA512
be5d4a2b32d93af5a791a8bb5dad555bdadd9c60a43bb69d45982182521a0053b80f8b4f6f18aae95758edf40a73b777eda3a18451587c3cd405ab2ad89119e0

Download Submit
C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

Filesize
362B

MD5
2cc22bc7e3aa65ad6ab08493b970529a

SHA1
056a43cba07918bd89a991f67e2fa6520c75733c

SHA256
89fc47c6ea4f5266bb5fc14edd70b32fa148c7f52d0797c572d138536ee5ceae

SHA512
179c7dc9910d171b0d0d691af2c4d664809299349066c065bc0c41e55c13336904bf16b3553247bd1d2a3ad2ef56a1ca9e4e5308b2b9dd1330bac78ae83422b2

Download Submit
memory/2556-16031-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2556-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2556-0-0x0000000000720000-0x000000000074A000-memory.dmp

Filesize
168KB

Download
memory/2556-6211-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-33765-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-71566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-22261-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-27822-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-45519-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-63083-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-9616-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-84517-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-97426-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-109899-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-121750-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-131984-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-145251-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-153503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-153504-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download